wsv 0.10.1 → 0.12.0

data/lib/wsv/server.rb

@@ -3,6 +3,7 @@
 require "openssl"
 require "socket"
 require_relative "app"
+require_relative "cors"
 require_relative "server/banner"
 require_relative "server/browser_launcher"
 require_relative "server/connection"
@@ -26,7 +27,9 @@ module Wsv
       tls: nil,
       spa: false,
       open: false,
-      cors: false
+      cors: false,
+      quiet: false,
+      app: nil
     )
       @host = host
       @port = port
@@ -37,7 +40,11 @@ module Wsv
       @tls = tls
       @ssl_context = tls&.to_ssl_context
       @open = open
-      @app = App.new(@root, spa: spa, cors: cors)
+      @cors = Cors.new if cors
+      @access_log = quiet ? NullAccessLog.new : AccessLog.new(out: out)
+      # `app:` lets callers plug in a custom request handler in place of
+      # the default file server.
+      @app = app || App.new(@root, spa: spa, cors: @cors)
       @throttle = ConnectionThrottle.new(max: max_connections, err: err)
       @running = false
     end
@@ -73,6 +80,15 @@ module Wsv
           next
         end
 
+        # Disable Nagle so small writes (SSE frames, headers) are not held
+        # in the TCP send buffer waiting for an ACK. Applies before any TLS
+        # wrap; NODELAY is a TCP-layer option that persists through SSL.
+        begin
+          client.setsockopt(:TCP, :NODELAY, 1)
+        rescue StandardError
+          nil
+        end
+
         begin
           spawn_handler(client)
         rescue StandardError => e
@@ -88,7 +104,8 @@ module Wsv
 
     def spawn_handler(client)
       accepted = @throttle.try_spawn do
-        Connection.new(maybe_wrap_tls(client), err: @err).serve(@app, read_timeout: @read_timeout)
+        Connection.new(maybe_wrap_tls(client), err: @err, cors: @cors, access_log: @access_log)
+                  .serve(@app, read_timeout: @read_timeout)
       end
       spawn_rejection(client) unless accepted
     end
@@ -102,10 +119,10 @@ module Wsv
       reply = !@ssl_context
       Thread.new do
         Thread.current.report_on_exception = false
-        Connection.new(client, err: @err).reject(reply: reply)
+        Connection.new(client, err: @err, cors: @cors, access_log: @access_log).reject(reply: reply)
       end
     rescue ThreadError
-      Connection.new(client, err: @err).reject(reply: reply)
+      Connection.new(client, err: @err, cors: @cors, access_log: @access_log).reject(reply: reply)
     end
 
     def maybe_wrap_tls(client)

data/lib/wsv/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Wsv
-  VERSION = "0.10.1"
+  VERSION = "0.12.0"
 end

data/lib/wsv.rb

@@ -4,6 +4,7 @@ require_relative "wsv/version"
 require_relative "wsv/status"
 require_relative "wsv/mime_types"
 require_relative "wsv/path_resolver"
+require_relative "wsv/range_request"
 require_relative "wsv/request"
 require_relative "wsv/response"
 require_relative "wsv/cors"

data/test/access_log_test.rb

@@ -0,0 +1,94 @@
+# frozen_string_literal: true
+
+require_relative "test_helper"
+
+class AccessLogTest < Minitest::Test
+  def test_records_clf_line_for_serviced_request
+    out = StringIO.new
+    log = Wsv::Server::AccessLog.new(out: out)
+
+    log.record(
+      remote_addr: "127.0.0.1",
+      request: build_request(method: "GET", target: "/index.html", version: "HTTP/1.1"),
+      status: 200,
+      bytes: 1234
+    )
+
+    assert_match(%r{\A127\.0\.0\.1 - - \[\d{2}/\w{3}/\d{4}:\d{2}:\d{2}:\d{2} [+-]\d{4}\] }, out.string)
+    assert_includes out.string, %("GET /index.html HTTP/1.1" 200 1234)
+  end
+
+  def test_uses_dash_for_zero_bytes
+    out = StringIO.new
+    Wsv::Server::AccessLog.new(out: out).record(
+      remote_addr: "127.0.0.1",
+      request: build_request(method: "HEAD", target: "/", version: "HTTP/1.1"),
+      status: 200,
+      bytes: 0
+    )
+
+    assert_match(/200 -\z/, out.string.chomp)
+  end
+
+  def test_uses_dash_when_remote_addr_unknown
+    out = StringIO.new
+    Wsv::Server::AccessLog.new(out: out).record(
+      remote_addr: nil,
+      request: build_request(method: "GET", target: "/", version: "HTTP/1.1"),
+      status: 200,
+      bytes: 1
+    )
+
+    assert out.string.start_with?("- - - ")
+  end
+
+  def test_uses_dash_when_request_unparsed
+    out = StringIO.new
+    Wsv::Server::AccessLog.new(out: out).record(
+      remote_addr: "127.0.0.1",
+      request: nil,
+      status: 408,
+      bytes: 11
+    )
+
+    assert_includes out.string, %("-" 408 11)
+  end
+
+  def test_sanitizes_control_characters_in_request_line
+    out = StringIO.new
+    Wsv::Server::AccessLog.new(out: out).record(
+      remote_addr: "127.0.0.1",
+      request: build_request(method: "GET", target: "/x\r\ninjected:1", version: "HTTP/1.1"),
+      status: 400,
+      bytes: 0
+    )
+
+    refute_includes out.string, "\r"
+    assert_equal 1, out.string.count("\n")
+    assert_includes out.string, '\\x0d\\x0a'
+  end
+
+  def test_sanitizes_quotes_in_request_target
+    out = StringIO.new
+    Wsv::Server::AccessLog.new(out: out).record(
+      remote_addr: "127.0.0.1",
+      request: build_request(method: "GET", target: %(/x"y), version: "HTTP/1.1"),
+      status: 200,
+      bytes: 1
+    )
+
+    assert_includes out.string, '\\x22'
+  end
+
+  def test_null_access_log_is_silent
+    log = Wsv::Server::NullAccessLog.new
+
+    assert_nil log.record(remote_addr: "127.0.0.1", request: nil, status: 200, bytes: 0)
+  end
+
+  private
+
+  def build_request(method:, target:, version:)
+    Wsv::Request.new(method: method, target: target, version: version, headers: {})
+  end
+end

data/test/app_test.rb

@@ -109,6 +109,17 @@ class AppTest < Minitest::Test
     assert_equal "hi", response.body
   end
 
+  def test_304_takes_precedence_over_range
+    path = File.join(@dir, "x.txt")
+    File.write(path, "hi")
+
+    response = @app.call(req("GET", "/x.txt",
+                             "if-modified-since" => File.mtime(path).httpdate,
+                             "range" => "bytes=0-0"))
+
+    assert_equal 304, response.status
+  end
+
   def test_invalid_if_modified_since_is_ignored
     File.write(File.join(@dir, "x.txt"), "hi")
 
@@ -337,50 +348,34 @@ class AppTest < Minitest::Test
     assert_equal "bytes", response.headers["Accept-Ranges"]
   end
 
-  def test_cors_disabled_omits_acao_header
-    File.write(File.join(@dir, "x.txt"), "hi")
+  # CORS overlay (Access-Control-Allow-Origin / Vary) is applied by
+  # Server::Connection, not by App. App only short-circuits OPTIONS preflight
+  # and adds OPTIONS to the Allow header. End-to-end CORS behavior is covered
+  # by server_test.rb.
 
-    response = @app.call(req("GET", "/x.txt"))
-
-    refute response.headers.key?("Access-Control-Allow-Origin")
-  end
-
-  def test_cors_adds_acao_to_successful_response
+  def test_app_does_not_add_cors_headers_directly
     File.write(File.join(@dir, "x.txt"), "hi")
-    cors_app = Wsv::App.new(File.realpath(@dir), cors: true)
+    cors_app = Wsv::App.new(File.realpath(@dir), cors: Wsv::Cors.new)
 
     response = cors_app.call(req("GET", "/x.txt"))
 
-    assert_equal 200, response.status
-    assert_equal "hi", response.body
-    assert_equal "*", response.headers["Access-Control-Allow-Origin"]
-    assert_equal "Origin", response.headers["Vary"]
-  end
-
-  def test_cors_adds_acao_to_error_response
-    cors_app = Wsv::App.new(File.realpath(@dir), cors: true)
-
-    response = cors_app.call(req("GET", "/missing.txt"))
-
-    assert_equal 404, response.status
-    assert_equal "*", response.headers["Access-Control-Allow-Origin"]
+    refute response.headers.key?("Access-Control-Allow-Origin")
+    refute response.headers.key?("Vary")
   end
 
   def test_cors_preflight_returns_204_with_methods_and_max_age
-    cors_app = Wsv::App.new(File.realpath(@dir), cors: true)
+    cors_app = Wsv::App.new(File.realpath(@dir), cors: Wsv::Cors.new)
 
     response = cors_app.call(req("OPTIONS", "/x.txt"))
 
     assert_equal 204, response.status
-    assert_equal "*", response.headers["Access-Control-Allow-Origin"]
     assert_equal "GET, HEAD, OPTIONS", response.headers["Access-Control-Allow-Methods"]
     assert_equal "86400", response.headers["Access-Control-Max-Age"]
-    assert_equal "Origin", response.headers["Vary"]
     assert_equal "", response.body
   end
 
   def test_cors_preflight_echoes_requested_headers
-    cors_app = Wsv::App.new(File.realpath(@dir), cors: true)
+    cors_app = Wsv::App.new(File.realpath(@dir), cors: Wsv::Cors.new)
 
     response = cors_app.call(req("OPTIONS", "/x.txt", "access-control-request-headers" => "X-Custom, Authorization"))
 
@@ -389,7 +384,7 @@ class AppTest < Minitest::Test
   end
 
   def test_cors_preflight_omits_allow_headers_when_not_requested
-    cors_app = Wsv::App.new(File.realpath(@dir), cors: true)
+    cors_app = Wsv::App.new(File.realpath(@dir), cors: Wsv::Cors.new)
 
     response = cors_app.call(req("OPTIONS", "/x.txt"))
 
@@ -404,13 +399,12 @@ class AppTest < Minitest::Test
   end
 
   def test_cors_405_advertises_options_in_allow
-    cors_app = Wsv::App.new(File.realpath(@dir), cors: true)
+    cors_app = Wsv::App.new(File.realpath(@dir), cors: Wsv::Cors.new)
 
     response = cors_app.call(req("POST", "/x.txt"))
 
     assert_equal 405, response.status
     assert_equal "GET, HEAD, OPTIONS", response.headers["Allow"]
-    assert_equal "*", response.headers["Access-Control-Allow-Origin"]
   end
 
   def test_multipart_range_falls_through_to_200

data/test/banner_test.rb

@@ -0,0 +1,74 @@
+# frozen_string_literal: true
+
+require_relative "test_helper"
+
+class BannerTest < Minitest::Test
+  include TlsTestHelpers
+
+  ROOT = Dir.tmpdir
+
+  def test_warns_when_binding_to_non_loopback
+    err = StringIO.new
+    build(host: "0.0.0.0", err: err).emit
+
+    assert_includes err.string, "WARNING"
+    assert_includes err.string, "0.0.0.0"
+  end
+
+  def test_no_warning_for_loopback_bind
+    err = StringIO.new
+    build(host: "127.0.0.1", err: err).emit
+
+    refute_includes err.string, "WARNING"
+  end
+
+  def test_warns_when_binding_to_ipv6_wildcard
+    err = StringIO.new
+    build(host: "::", err: err).emit
+
+    assert_includes err.string, "WARNING"
+    assert_includes err.string, "::"
+  end
+
+  def test_no_warning_for_ipv6_loopback
+    err = StringIO.new
+    build(host: "::1", err: err).emit
+
+    refute_includes err.string, "WARNING"
+  end
+
+  def test_brackets_ipv6_address_in_url
+    out = StringIO.new
+    build(host: "::1", port: 8000, out: out).emit
+
+    assert_includes out.string, "http://[::1]:8000/"
+    refute_includes out.string, "http://::1:8000/"
+  end
+
+  def test_percent_encodes_ipv6_zone_identifier
+    out = StringIO.new
+    build(host: "fe80::1%eth0", port: 8000, out: out).emit
+
+    assert_includes out.string, "http://[fe80::1%25eth0]:8000/"
+  end
+
+  def test_logs_https_scheme_when_tls_enabled
+    out = StringIO.new
+    build(host: "127.0.0.1", port: 8000, out: out, tls: ephemeral_tls).emit
+
+    assert_includes out.string, "https://"
+  end
+
+  def test_warns_about_self_signed_cert
+    err = StringIO.new
+    build(host: "127.0.0.1", err: err, tls: ephemeral_tls).emit
+
+    assert_includes err.string, "self-signed"
+  end
+
+  private
+
+  def build(host:, port: 0, root: ROOT, out: StringIO.new, err: StringIO.new, tls: nil)
+    Wsv::Server::Banner.new(host: host, port: port, root: root, out: out, err: err, tls: tls)
+  end
+end

data/test/cli_test.rb

@@ -17,7 +17,7 @@ class CLITest < Minitest::Test
 
   def test_host_port_and_directory
     Dir.mktmpdir do |dir|
-      options = Wsv::CLI.new([]).parse_options(["-h", "127.0.0.1", "-p", "3000", dir])
+      options = Wsv::CLI.new([]).parse_options(["--host", "127.0.0.1", "-p", "3000", dir])
 
       assert_equal "127.0.0.1", options[:host]
       assert_equal 3000, options[:port]
@@ -25,6 +25,14 @@ class CLITest < Minitest::Test
     end
   end
 
+  def test_short_help_flag
+    out = StringIO.new
+    code = Wsv::CLI.new(["-h"], out: out).run
+
+    assert_equal 0, code
+    assert_includes out.string, "Usage: wsv"
+  end
+
   def test_long_host_port_and_directory
     Dir.mktmpdir do |dir|
       options = Wsv::CLI.new([]).parse_options(["--host", "localhost", "--port", "4567", dir])
@@ -35,6 +43,48 @@ class CLITest < Minitest::Test
     end
   end
 
+  def test_bare_ipv6_host
+    options = Wsv::CLI.new([]).parse_options(["--host", "::1"])
+
+    assert_equal "::1", options[:host]
+  end
+
+  def test_bracketed_ipv6_host_is_unwrapped
+    options = Wsv::CLI.new([]).parse_options(["--host", "[::1]"])
+
+    assert_equal "::1", options[:host]
+  end
+
+  def test_bracketed_ipv6_with_zone_id
+    options = Wsv::CLI.new([]).parse_options(["--host", "[fe80::1%en0]"])
+
+    assert_equal "fe80::1%en0", options[:host]
+  end
+
+  def test_host_with_port_suffix_rejected
+    err = StringIO.new
+    code = Wsv::CLI.new(["--host", "[::1]:8000"], err: err).run
+
+    assert_equal 1, code
+    assert_includes err.string, "must not include a port"
+  end
+
+  def test_host_unbalanced_brackets_rejected
+    err = StringIO.new
+    code = Wsv::CLI.new(["--host", "[::1"], err: err).run
+
+    assert_equal 1, code
+    assert_includes err.string, "unbalanced brackets"
+  end
+
+  def test_host_empty_brackets_rejected
+    err = StringIO.new
+    code = Wsv::CLI.new(["--host", "[]"], err: err).run
+
+    assert_equal 1, code
+    assert_includes err.string, "bracket value is empty"
+  end
+
   def test_help
     out = StringIO.new
     code = Wsv::CLI.new(["--help"], out: out).run
@@ -62,6 +112,14 @@ class CLITest < Minitest::Test
     assert_includes err.string, "port must be between 1 and 65535"
   end
 
+  def test_port_above_max_rejected
+    err = StringIO.new
+    code = Wsv::CLI.new(["-p", "65536"], err: err).run
+
+    assert_equal 1, code
+    assert_includes err.string, "port must be between 1 and 65535"
+  end
+
   def test_missing_directory
     err = StringIO.new
     missing = File.join(Dir.tmpdir, "wsv-missing-#{Time.now.to_i}-#{$$}")
@@ -89,6 +147,19 @@ class CLITest < Minitest::Test
     end
   end
 
+  def test_missing_cert_file_errors_at_runtime
+    err = StringIO.new
+    Dir.mktmpdir do |dir|
+      missing_cert = File.join(dir, "missing-cert.pem")
+      missing_key = File.join(dir, "missing-key.pem")
+      code = Wsv::CLI.new(["--cert", missing_cert, "--key", missing_key, dir], err: err).run
+
+      assert_equal 1, code
+      assert_includes err.string, "wsv:"
+      assert_includes err.string, "missing-cert.pem"
+    end
+  end
+
   def test_cert_and_key_parses
     Dir.mktmpdir do |dir|
       options = Wsv::CLI.new([]).parse_options(["--cert", "a.pem", "--key", "b.pem", dir])

data/test/cors_test.rb

@@ -0,0 +1,76 @@
+# frozen_string_literal: true
+
+require_relative "test_helper"
+
+class CorsTest < Minitest::Test
+  def setup
+    @cors = Wsv::Cors.new
+  end
+
+  def test_allow_methods_returns_array
+    assert_equal %w[GET HEAD OPTIONS], @cors.allow_methods
+  end
+
+  # `Cors#preflight` returns the preflight-specific headers only;
+  # Server::Connection adds ACAO / Vary on top, uniformly.
+
+  def test_preflight_returns_204
+    response = @cors.preflight(req)
+
+    assert_equal 204, response.status
+  end
+
+  def test_preflight_includes_allow_methods_and_max_age
+    response = @cors.preflight(req)
+
+    assert_equal "GET, HEAD, OPTIONS", response.headers["Access-Control-Allow-Methods"]
+    assert_equal "86400", response.headers["Access-Control-Max-Age"]
+  end
+
+  def test_preflight_omits_acao_and_vary
+    response = @cors.preflight(req)
+
+    refute response.headers.key?("Access-Control-Allow-Origin")
+    refute response.headers.key?("Vary")
+  end
+
+  def test_preflight_echoes_requested_headers
+    response = @cors.preflight(req("access-control-request-headers" => "X-Custom, Authorization"))
+
+    assert_equal "X-Custom, Authorization", response.headers["Access-Control-Allow-Headers"]
+  end
+
+  def test_preflight_omits_allow_headers_when_not_requested
+    response = @cors.preflight(req)
+
+    refute response.headers.key?("Access-Control-Allow-Headers")
+  end
+
+  def test_overlay_adds_acao_and_vary
+    base = Wsv::Response.text(200)
+    overlaid = @cors.overlay(base)
+
+    assert_equal "*", overlaid.headers["Access-Control-Allow-Origin"]
+    assert_equal "Origin", overlaid.headers["Vary"]
+  end
+
+  def test_overlay_preserves_existing_headers
+    base = Wsv::Response.text(404)
+    overlaid = @cors.overlay(base)
+
+    assert_equal "text/plain; charset=utf-8", overlaid.headers["Content-Type"]
+  end
+
+  def test_overlay_returns_a_new_response_keeping_status
+    base = Wsv::Response.text(404)
+    overlaid = @cors.overlay(base)
+
+    assert_equal 404, overlaid.status
+  end
+
+  private
+
+  def req(headers = {})
+    Wsv::Request.new(method: "OPTIONS", target: "/", version: "HTTP/1.1", headers: headers)
+  end
+end

data/test/custom_app_test.rb

@@ -0,0 +1,128 @@
+# frozen_string_literal: true
+
+require "net/http"
+require "socket"
+require_relative "test_helper"
+
+# Covers two related extension points:
+#
+#   * `Wsv::Server.new(app:)` — DI a custom request handler
+#   * `Wsv::Response.sse { |io| ... }` — long-lived Server-Sent Events responses
+class CustomAppTest < Minitest::Test
+  def setup
+    @dir = Dir.mktmpdir
+    @server = nil
+    @thread = nil
+  end
+
+  def teardown
+    @server&.stop
+    @thread&.join(2)
+    FileUtils.remove_entry(@dir)
+  end
+
+  def test_custom_app_handles_requests_in_place_of_default
+    app = Class.new do
+      def call(_request)
+        Wsv::Response.new(
+          status: 200,
+          headers: { "Content-Type" => "text/plain", "Content-Length" => "8" },
+          body: "from-app"
+        )
+      end
+    end.new
+
+    start_server(app: app)
+    response = get("/anything")
+
+    assert_equal "200", response.code
+    assert_equal "from-app", response.body
+  end
+
+  def test_sse_response_delivers_chunks_in_order
+    chunks = ["data: one\n\n", "data: two\n\n", "data: three\n\n"]
+    app = Class.new do
+      define_method(:call) do |_request|
+        Wsv::Response.sse do |io|
+          chunks.each do |c|
+            io.write(c)
+            io.flush
+          end
+        end
+      end
+    end.new
+
+    start_server(app: app)
+    body = read_full_body("/events")
+
+    chunks.each { |c| assert_includes body, c }
+    assert_operator body.index(chunks[0]), :<, body.index(chunks[1])
+    assert_operator body.index(chunks[1]), :<, body.index(chunks[2])
+  end
+
+  def test_sse_response_uses_event_stream_content_type
+    app = Class.new do
+      def call(_request)
+        Wsv::Response.sse { |io| io.write("data: hi\n\n") }
+      end
+    end.new
+
+    start_server(app: app)
+    response = get("/stream")
+
+    assert_equal "200", response.code
+    assert_match %r{text/event-stream}, response["content-type"]
+    refute response["content-length"], "sse must not advertise Content-Length"
+  end
+
+  private
+
+  def start_server(app:)
+    @server = Wsv::Server.new(
+      host: "127.0.0.1",
+      port: free_port,
+      root: @dir,
+      out: StringIO.new,
+      err: StringIO.new,
+      app: app
+    )
+    @thread = Thread.new { @server.start }
+    wait_until_ready
+  end
+
+  def free_port
+    s = TCPServer.new("127.0.0.1", 0)
+    s.addr[1]
+  ensure
+    s&.close
+  end
+
+  def wait_until_ready
+    deadline = Time.now + 2
+    loop do
+      TCPSocket.open("127.0.0.1", @server.port).close
+      break
+    rescue Errno::ECONNREFUSED
+      raise if Time.now >= deadline
+
+      sleep 0.01
+    end
+  end
+
+  def get(path)
+    Net::HTTP.get_response(URI("http://127.0.0.1:#{@server.port}#{path}"))
+  end
+
+  # Read until the server closes the connection (streaming responses
+  # omit Content-Length so Net::HTTP would still read-to-EOF, but for
+  # clarity we use a raw socket here).
+  def read_full_body(path)
+    socket = TCPSocket.open("127.0.0.1", @server.port)
+    socket.write("GET #{path} HTTP/1.1\r\nHost: localhost\r\n\r\n")
+    raw = socket.read
+    header_end = raw.index("\r\n\r\n")
+    raw[(header_end + 4)..]
+  ensure
+    socket&.close
+  end
+end

data/test/path_resolver_test.rb

@@ -13,6 +13,14 @@ class PathResolverTest < Minitest::Test
     FileUtils.remove_entry(@dir)
   end
 
+  def test_empty_path_returns_redirect
+    # `""` has no trailing slash → resolver returns redirect the same
+    # way it would for `/somedir` when `somedir` is a directory.
+    result = @resolver.resolve("")
+
+    assert_predicate result, :redirect?
+  end
+
   def test_resolves_existing_file
     path = File.join(@dir, "hello.txt")
     File.write(path, "hi")